Abstract
It is important to hide DNN models from adversaries not only for protecting intellectual property but also for preventing attacks. Isolated execution environments (IEEs) are necessary to protect the DNN model in an edge device. Conventional studies on DNN inference in IEEs have focused on model confidentiality and not the threat of model evasion attacks. If some of the model parameters or intermediate results are leaked to adversaries, model evasion attacks may occur even if the confidentiality of the model is secured. In this work, we performed attacks against partially encrypted DNN models that are executed on IEEs. In an existing proposal, a feature extractor of the model is executed in a normal world and a classifier is executed in a secure enclave, but there is still a threat that an adversary may perform a gradient-based model evasion attack against a feature extractor. We performed gradient-based model evasion attacks against the feature extractor more efficiently by preparing multiple guide images. Our results clarified that all parameters on the feature map should be kept secret by the parameter encryption. In addition, we consider another risk case where calculated values on the feature extractor are stored in the unencrypted memory and demonstrated the gradient estimation-based model evasion attack by exploiting the intermediate feature maps. Our results indicate that both DNN model parameters and intermediate feature maps should be concealed not only for protecting intellectual property but also for preventing model evasion attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bhagoji, A.N., He, W., Li, B., Song, D.: Practical black-box attacks on deep neural networks using efficient query mechanisms. In: Proceedings of the European Conference on Computer Vision (ECCV), September 2018
Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: ImageNet: a large-scale hierarchical image database, pp. 248–255. Institute of Electrical and Electronics Engineers (IEEE), March 2010
Dong, Y., et al.: Boosting adversarial attacks with momentum. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, pp. 9185–9193, October 2017
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: 3rd International Conference on Learning Representations, ICLR, December 2015
Graepel, T., Lauter, K., Naehrig, M.: ML confidential: machine learning on encrypted data. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 1–21. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37682-5_1
Hanzlik, L., et al.: MLCapsule: guarded offline deployment of machine learning as a service, August 2018
Huang, Q., Katsman, I., He, H., Gu, Z., Belongie, S., Lim, S.N.: Enhancing adversarial example transferability with an intermediate level attack. In: Proceedings of the IEEE International Conference on Computer Vision, pp. 4732–4741, July 2019
Inkawhich, N., Wen, W., Li, H.H., Chen, Y.: Feature space perturbations yield more transferable adversarial examples. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 2019-June, pp. 7059–7067. IEEE Computer Society, June 2019
Mohassel, P., Zhang, Y.: SecureML: a system for scalable privacy-preserving machine learning. In: Proceedings - IEEE Symposium on Security and Privacy, pp. 19–38. Institute of Electrical and Electronics Engineers Inc., June 2017
Narodytska, N., Kasiviswanathan, S.: Simple black-box adversarial attacks on deep neural networks. In: IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops, vol. 2017-July, pp. 1310–1318, August 2017
Paszke, A., et al.: PyTorch: An Imperative Style, High-Performance Deep Learning Library. arXiv, December 2019
Sabour, S., Cao, Y., Faghri, F., Fleet, D.J.: Adversarial manipulation of deep representations. In: 4th International Conference on Learning Representations, ICLR 2016 - Conference Track Proceedings, November 2015
Schlögl, A., Böhme, R.: eNNclave: offline inference with model confidentiality. In: Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security. ACM, New York (2020)
Senzaki, Y., Ohata, S., Matsuura, K.: Simple black-box adversarial examples generation with very few queries. IEICE Trans. Inf. Syst. 103(2), 212–221 (2020)
Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: 3rd International Conference on Learning Representations, ICLR 2015 - Conference Track Proceedings, September 2015
Stallkamp, J., Schlipsing, M., Salmen, J., Igel, C.: Man vs. computer: benchmarking machine learning algorithms for traffic sign recognition. Neural Netw. 32, 323–332 (2012)
Wang, B., et al.: With great training comes great vulnerability: practical attacks against transfer learning. In: USENIX, pp. 1281–1297 (2018)
Xie, P., Bilenko, M., Finley, T., Gilad-Bachrach, R., Lauter, K., Naehrig, M.: Crypto-Nets: Neural Networks over Encrypted Data, December 2014
Acknowledgments
This work was supported by JST-Mirai Program Grant Number JPMJMI19B6, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Yoshida, K., Fujino, T. (2021). Model Evasion Attacks Against Partially Encrypted Deep Neural Networks in Isolated Execution Environment. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2021. Lecture Notes in Computer Science(), vol 12809. Springer, Cham. https://doi.org/10.1007/978-3-030-81645-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-81645-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81644-5
Online ISBN: 978-3-030-81645-2
eBook Packages: Computer ScienceComputer Science (R0)